CN110929264B - Vulnerability detection method and device, electronic equipment and readable storage medium - Google Patents

Vulnerability detection method and device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN110929264B
CN110929264B CN201911154446.9A CN201911154446A CN110929264B CN 110929264 B CN110929264 B CN 110929264B CN 201911154446 A CN201911154446 A CN 201911154446A CN 110929264 B CN110929264 B CN 110929264B
Authority
CN
China
Prior art keywords
vulnerability
attack
application program
information
source file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911154446.9A
Other languages
Chinese (zh)
Other versions
CN110929264A (en
Inventor
叶红
徐雅静
卓越
旷亚和
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN201911154446.9A priority Critical patent/CN110929264B/en
Publication of CN110929264A publication Critical patent/CN110929264A/en
Application granted granted Critical
Publication of CN110929264B publication Critical patent/CN110929264B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The present disclosure provides a vulnerability detection method, including: generating an attack script aiming at the application program according to a source file of the application program; an attack request is sent to the application program according to the attack script to determine whether the application program has a bug or not; and in the event that it is determined that the application has a vulnerability: inserting a detection function into the source file according to the source file; initiating a secondary attack request to the application program according to the attack script so as to run the application program according to the source file inserted into the detection function to obtain first running information; and determining vulnerability information of the vulnerability according to the first operation information. The disclosure also provides a vulnerability detection device, an electronic device and a computer readable storage medium.

Description

Vulnerability detection method and device, electronic equipment and readable storage medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a vulnerability detection method and apparatus, an electronic device, and a readable storage medium.
Background
With the development of computer technology, various application programs that implement different functions have become an indispensable part of life. However, while the application promotes social development, the security of the user's private information and property may be affected by vulnerability. In order to discover vulnerabilities and flaws of an application, determining that the application is safe in use, it is necessary to identify behavioral vulnerabilities and vulnerabilities in the application using application security testing techniques.
In implementing the disclosed concept, the inventors found that there are at least the following problems in the related art:
the traditional dynamic application security test is a black box test technology, analyzes the dynamic running state of an application program in a test or running stage, simulates the function points of a hacker to mainly test the application program, and does not need to know the internal logic structure of the application program. The vulnerability discovery and verification are performed by adopting the attack feature library, and the method is a very common security test scheme applied to security test in the industry. But on one hand, a tester needs to completely crawl the structure of the application program as much as possible, and on the other hand, an attack vulnerability packet needs to be sent to the tested application program. Moreover, dynamic application of security tests requires a long time to locate and analyze the vulnerabilities after they are discovered.
Considering that most vulnerabilities are generated by erroneous coding, it can be considered to semantically understand the code, dependencies, and configuration files of a program using static security testing techniques. But the static security test can only detect the source code. Considering that different paths exist in the process of program operation, the test is based on codes, and only can test the correctness of the codes, but cannot cover the correctness of the functional design. Therefore, code analysis for static security testing has limitations.
Disclosure of Invention
In view of the above, the present disclosure provides a vulnerability detection method, apparatus, electronic device and medium capable of effectively detecting a vulnerability of an application program.
In one aspect of the present disclosure, a vulnerability detection method is provided, which includes: generating an attack script aiming at the application program according to a source file of the application program; an attack request is sent to the application program according to the attack script to determine whether the application program has a bug or not; and in the event that it is determined that the application has a vulnerability: inserting a detection function into the source file according to the source file; sending a secondary attack request to the application program according to the attack script so as to run the application program according to the source file inserted into the detection function, and obtaining first running information; and determining vulnerability information of the vulnerability according to the first operation information.
According to an embodiment of the present disclosure, the generating an attack script for an application includes: according to the source file, obtaining an attack vector matched with the source file from the feature library; and generating an attack script according to the attack vector and the attack script template.
According to an embodiment of the present disclosure, the sending an attack request to an application program according to an attack script to determine whether the application program has a bug includes: an attack request is sent to the application program according to the attack script, so that the application program is operated according to the source file, and second operation information is obtained; and determining that the application program has a bug under the condition that the second operation information is abnormal.
According to an embodiment of the present disclosure, the inserting a detection function into the source file includes: loading a method class in a source file called when an application program is operated; determining defined method classes which belong to a preset method class in method classes in a called source file; and inserting a detection function into the source file at a position where a method class has been defined. Wherein the predetermined method classes comprise method classes defined in an application-independent agent.
According to an embodiment of the present disclosure, the determining vulnerability information includes: determining whether a source file inserted with a detection function in the running process of the application program has abnormal call or not according to the first running information; and under the condition that abnormal calling exists, determining that the attribute information of the code according to which the source file in the source file initiates the abnormal calling is vulnerability information.
According to an embodiment of the present disclosure, the vulnerability detection method further includes, after determining vulnerability information of a vulnerability: determining the danger level of the vulnerability and/or the risk level of the application program according to the vulnerability information; and displaying the vulnerability information, the risk level of the vulnerability and/or the risk level of the application program.
According to an embodiment of the present disclosure, the vulnerability detection method further includes, after determining vulnerability information of a vulnerability: and sending alarm information to a server for providing support for the running of the application program to instruct the server to discard the request of the application program when receiving the request of the application program.
According to an embodiment of the present disclosure, the vulnerability detection method further includes, after determining vulnerability information of a vulnerability: acquiring patch information matched with the vulnerability information; and solving the matched vulnerability according to the patch information.
According to an embodiment of the present disclosure, the vulnerability detection method further includes constructing a feature library, where the constructing of the feature library includes: acquiring attack characteristic messages aiming at a plurality of vulnerability samples; extracting attack characteristics of the attack characteristic message to obtain a plurality of attack characteristics; generating a plurality of attack vectors aiming at a plurality of attack features according to a predetermined rule; and establishing a mapping relation between a plurality of attack vectors and the context information according to the context information of the vulnerability samples.
Another aspect of the present disclosure provides a vulnerability detection apparatus, including: the attack script generation module is used for generating an attack script aiming at the application program according to the source file of the application program; the vulnerability determining module is used for sending an attack request to the application program according to the attack script so as to determine whether the application program has a vulnerability or not; the detection function insertion module is used for inserting a detection function into the source file according to the source file under the condition that the application program is determined to have the bug; the running information obtaining module is used for sending a secondary attack request to the application program according to the attack script so as to run the application program according to the source file inserted into the detection function and obtain first running information; and the vulnerability information determining module is used for determining vulnerability information of the vulnerability according to the first operation information.
Another aspect of the disclosure provides an electronic device comprising one or more processors and storage for storing one or more programs. Wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the vulnerability detection methods described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the vulnerability detection method as described above when executed.
Another aspect of the present disclosure provides a computer program comprising computer executable instructions for implementing the vulnerability detection method as described above when executed.
According to the embodiment of the disclosure, the attack script aiming at the application program is automatically generated according to the source text, and the secondary attack is carried out by inserting the detection function into the source file, so that the code running stream can be dynamically analyzed according to the running information, and the position of the vulnerability can be effectively positioned while the detection accuracy is ensured.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates an application scenario diagram of a vulnerability detection method, apparatus, electronic device and readable storage medium according to an embodiment of the present disclosure;
fig. 2 schematically shows a flowchart of a vulnerability detection method according to a first exemplary embodiment of the present disclosure;
fig. 3 schematically shows a flowchart of a vulnerability detection method according to a second exemplary embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow diagram for building a feature library according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow diagram for generating an attack script for an application in accordance with an embodiment of the present disclosure;
FIG. 6 schematically shows a flow chart for determining whether a vulnerability exists in an application according to an embodiment of the present disclosure;
FIG. 7 schematically shows a flow diagram for inserting a detection function in a source file according to an embodiment of the disclosure;
FIG. 8 schematically illustrates a flow diagram for determining vulnerability information for a vulnerability according to an embodiment of the present disclosure;
fig. 9 schematically shows a flowchart of a vulnerability detection method according to a third exemplary embodiment of the present disclosure;
fig. 10 schematically shows a flowchart of a vulnerability detection method according to a fourth exemplary embodiment of the present disclosure;
fig. 11 schematically shows a flowchart of a vulnerability detection method according to a fifth exemplary embodiment of the present disclosure;
fig. 12 is a block diagram schematically illustrating a structure of a vulnerability detection apparatus according to an embodiment of the present disclosure; and
fig. 13 schematically shows a block diagram of an electronic device adapted to perform a vulnerability detection method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that these descriptions are illustrative only and are not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs, unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The embodiment of the disclosure provides a vulnerability detection method, which comprises the following steps: firstly, an attack script aiming at the application program is generated according to a source file of the application program. And then, an attack request is sent to the application program according to the attack script so as to determine whether the application program has a bug. And finally, only under the condition that the application program has the bug: firstly, inserting a detection function in a source file according to the source file; and then, sending a secondary attack request to the application program according to the attack script so as to operate the application program according to the source file inserted into the detection function to obtain first operation information, and finally determining vulnerability information of the vulnerability according to the first operation information.
Fig. 1 schematically illustrates an application scenario 100 of a vulnerability detection method, apparatus, electronic device and readable storage medium according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of an application scenario in which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, but does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, an application scenario 100 according to this embodiment may include, for example, a terminal device 101, at least one application 102 configured with an agent, and a server 103.
The terminal device 101 may be various electronic devices with processing functionality including, but not limited to, a smart phone, a tablet computer, a laptop portable computer, a desktop computer, and the like. The at least one application 102 configured with the agent and other applications may be installed in the terminal apparatus 101. The at least one application and/or other applications may include, for example only, a web browser application, a search-type application, an instant messaging-type application, a payment-type application, and/or the like.
According to the embodiment of the disclosure, each application program in at least one application program is provided with an agent, and the agent is configured with connectivity to collect operation information of each application program and send the operation information to the terminal device 101 or the server 103, so that the terminal device 101 or the server 103 determines whether the application program has a vulnerability according to the operation information, and locates the vulnerability of the application program according to the operation information under the condition that the vulnerability exists.
According to an embodiment of the present disclosure, communication between the terminal apparatus 101 and the server 103 may be performed through a network, for example. The network may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few. The server 103 may be a background management server providing support for the running of at least one application.
According to an embodiment of the present disclosure, the application scenario 100 may further include, for example, an operation and maintenance person, and the terminal device 101 may have, for example, a display screen, and is used to show vulnerability information of a located vulnerability to the operation and maintenance person. The vulnerability information may include, for example, location information of the vulnerability in the application, vulnerability type, vulnerability risk level, and the like.
It should be noted that the vulnerability detection method provided by the embodiment of the present disclosure may be generally executed by the terminal device 101 or the server 103. Accordingly, the vulnerability detection apparatus provided by the embodiment of the present disclosure may be generally disposed in the terminal device 101 or the server 103.
It should be understood that the types of the terminal device 101, the application 102, and the server 103 described above are merely illustrative, and any type of terminal device 101, application 102, and server 103 may be provided according to implementation needs.
The vulnerability detection method provided by the present disclosure will be described in detail below with reference to fig. 2 to 11.
Fig. 2 schematically shows a flowchart of a vulnerability detection method according to a first exemplary embodiment of the present disclosure.
As shown in fig. 2, the vulnerability detection method of the embodiment of the present disclosure may include operations S210 to S250.
In operation S210, an attack script for an application program is generated according to a source file of the application program.
According to an embodiment of the present disclosure, a source file of an application may be, for example, a running script of the application. The attack script for the application program may be generated, for example, according to the function of the application program, or may be generated according to the type of code included in the source file, or the like. For example, if the application has a query function, the generated attack script may be an SQL injection script, considering that there may be an SQL injection vulnerability.
According to the embodiment of the disclosure, before generating the attack script, for example, the source files of the plurality of application programs which are attacked and the attack characteristic messages corresponding to the attacks on the plurality of application programs can be obtained through statistics. Then, according to a source file of the application program to be detected, a first source file with the highest similarity to the source file of the application program to be detected is obtained from statistical analysis in the source files of the application programs, and then an attack characteristic message of the application program which attacks the first source file is used as an attack script of the application program to be detected.
According to an embodiment of the present disclosure, the operation S210 may be implemented by, for example, operations S511 to S512 described in fig. 5, which are not described herein again.
In operation S220, an attack request is issued to the application according to the attack script to determine whether the application has a bug.
According to an embodiment of the present disclosure, the initiating an attack request to the application program according to the attack script may include, for example: in the running process of the application program, the attack script is inserted into the source text, running information is obtained by running the source file into which the attack script is inserted, and then whether the application program has a bug or not is determined according to the running information. According to an embodiment of the present disclosure, the operation S220 may be implemented by, for example, operations S621 to S622 described in fig. 6, and details are not repeated here.
In operation S230, in case it is determined that the application has a bug, a detection function is inserted in the source file according to the source file.
According to embodiments of the present disclosure, the detection function may be, for example, a function for scanning and detecting code in a source file. According to the embodiment of the present disclosure, when inserting the detection function into the source file, for example, an insertion point may be set according to context information of code in the source file, and then the detection function may be inserted at the position of the insertion point. According to an embodiment of the present disclosure, the operation S230 may be implemented by, for example, operations S731 to S733 described in fig. 7, which are not described herein again.
In operation S240, a secondary attack request is issued to the application program according to the attack script to run the application program according to the source file inserted into the detection function, so as to obtain first running information.
According to an embodiment of the present disclosure, the operation S240 may include, for example: in a method similar to operation S220, during the running of the application program, the attack script is inserted into the source text into which the detection function has been inserted, so as to obtain the first running information. The first operation information may be acquired by an agent provided in the application, for example.
According to an embodiment of the present disclosure, the first operation information may include, for example: functions called in the running process, methods called in the running process, popped up dialog box information and the like.
In operation S250, vulnerability information of a vulnerability is determined according to the first operation information.
According to an embodiment of the present disclosure, the operation S250 may include, for example: whether the first operation information has abnormal information or not is determined. And if the abnormal information exists, determining that the code generating the abnormal information in the source file is the code with the bug. And finally, obtaining vulnerability information according to the code with the vulnerability.
According to an embodiment of the present disclosure, the vulnerability information may include, for example: the code creating method comprises the following steps of obtaining a URL (uniform resource locator) of the code with the bug, a file name Filename of a source file with the bug, a function method called by the code with the bug in the running process, Parameters related to the code with the bug and/or a line number of the code with the bug in the source file, and the like.
According to an embodiment of the present disclosure, the operation S350 may be implemented by, for example, operations S851 to S852 described in fig. 8, which are not described in detail herein.
In summary, the vulnerability detection method according to the embodiment of the present disclosure can automatically generate an attack script for an application program according to a source text, and perform a secondary attack by inserting a detection function into a source file, so that a code run stream can be dynamically analyzed according to run information, thereby effectively locating a vulnerability position while ensuring detection accuracy.
According to the embodiment of the disclosure, in order to facilitate generation of the attack script, the attack feature message corresponding to the attacked application program can be collected so as to analyze and obtain the rule and logic for generating the attack script for the application program. Or analyzing the collected attack characteristic messages to obtain attack vectors contained in the attack scripts, and synthesizing all the attack vectors to obtain a characteristic library. In this case, before generating an attack script for attacking the application to be detected, an operation of constructing the feature library should be further included.
Fig. 3 schematically shows a flowchart of a vulnerability detection method according to a second exemplary embodiment of the present disclosure, and fig. 4 schematically shows a flowchart of building a feature library according to an embodiment of the present disclosure
As shown in fig. 3, the vulnerability detection method according to the embodiment of the present disclosure may further include, in addition to operations S210 to S250, operation S360: and constructing a feature library.
According to the embodiment of the present disclosure, the feature library may include a plurality of feature vectors extracted according to the collected attack feature packets.
According to the embodiment of the present disclosure, in order to improve the accuracy of the feature library and improve the attack efficiency of the attack script generated according to the feature vector, the feature vectors may be further classified into a plurality of categories, for example, which may be classified by using a machine learning classification algorithm. The machine learning classification algorithm may classify a plurality of feature vectors according to a vulnerability targeted by an attack feature packet to which the feature vectors belong, for example. For example, if the vulnerability targeted by the attack feature message is an SQL injection vulnerability, the feature vector extracted from the attack feature message may be classified into SQL categories and the like.
According to an embodiment of the present disclosure, as shown in fig. 4, the operation S360 of building the feature library may be implemented by operations S461 to S464, for example.
In operation S461, attack signature packets for a plurality of vulnerability samples are obtained. In operation S462, the attack features of the attack feature packet are extracted to obtain a plurality of attack features.
According to the embodiment of the present disclosure, for example, a large number of combinations of attack characteristic packets and vulnerability samples may be stored in the server 130, and the attack characteristic packet in each combination is an attack script that has initiated an attack on the vulnerability sample in the combination. Or, the attack characteristic message may also be an attack script which is detected in real time and initiates an attack on other application programs.
According to an embodiment of the present disclosure, operation S462 may include, for example: and extracting the attack characteristics by adopting an attack characteristic automatic extraction (NSG) method, a white box method, a gray box method or a black box method and the like based on a network. The extracted attack features may include, for example, character-type features, digital-type features, and the like. Wherein, the character-type feature means that the attack is described by the composition, distribution or frequency of the character string (binary string).
In operation S463, a plurality of attack vectors for a plurality of attack features are generated according to a predetermined rule. According to an embodiment of the present disclosure, this operation S463 may include, for example: the plurality of attack features are named according to a predetermined naming rule. Or, the extracted attack features can be subjected to format conversion according to the format requirement of the attack script template to obtain a plurality of attack vectors which can be directly transmitted into the attack script template.
In operation S464, a mapping relationship between a plurality of attack vectors and context information is established according to the context information of the plurality of vulnerability samples.
According to an embodiment of the present disclosure, the operation S464 may include, for example: the context information of a plurality of vulnerability samples is obtained, and then a mapping relation is established between an attack vector aiming at attack characteristics extracted from attack characteristic messages which belong to the same combination with each vulnerability sample and the context information of each vulnerability sample. The context information may include, for example: the method comprises the following steps of calling function information in a vulnerability sample, the front-back relation of each function in the vulnerability sample, the class information of a method class called in the vulnerability sample and the like.
According to an embodiment of the present disclosure, in an embodiment, the operations S461 to S464 may include, for example: the existing attack scripts are collected firstly, and then are classified according to attack types. For example, if the collected attack script includes an SQL injection script, a plurality of attack features extracted from the SQL injection script may be stored as a plurality of SQL injection features as an attack vector by a predetermined rule, and an SQL injection feature library may be formed from the plurality of SQL injection features. And finally, establishing a mapping relation between the SQL injection characteristics and the query function in the application program. It is to be understood that the attack scripts collected above are merely examples to facilitate understanding of the present disclosure, and the present disclosure is not limited thereto. For example, the collected attack scripts may also include scripts for a cross-site scripting attack.
According to the embodiment of the present disclosure, in order to classify the attack features, for example, the attack feature packets may be first classified, and the attack features extracted from the attack feature packets belonging to the same class are classified into the attack features of the same class. Or, classifying the attack features may include, for example, after extracting the features of the attack feature packet, classifying all the extracted attack features.
According to the embodiment of the disclosure, after the feature library is created, considering that the attack vector in the feature library and the context information of the application program are established to have a mapping relation, the attack vector having the mapping relation with the source text of the application program to be detected can be used for generating the attack script, so that the accuracy of the generated attack script is improved.
FIG. 5 schematically shows a flowchart for generating an attack script for an application according to an embodiment of the present disclosure.
As shown in fig. 5, operation S210 of generating an attack script for an application according to an embodiment of the present disclosure may include, for example, operations S511 to S512.
In operation S511, an attack vector matching the source file is acquired from the feature library according to the source file. According to an embodiment of the present disclosure, the operation S511 may include, for example: firstly, determining the function defined in the source file, and then taking the attack vector which has a mapping relation with the function defined in the source file in the feature library as the attack vector matched with the source file.
In operation S512, an attack script is generated according to the attack vector and the attack script template.
According to embodiments of the present disclosure, for attack vectors belonging to different categories, for example, there may be different attack script templates. The attack script template may be, for example, a frame of an attack script, and an attack vector injection space is set in the frame, and for example, the attack script may be generated by introducing the attack vector acquired in operation S511 into the attack vector injection space in the attack script frame.
According to the embodiment of the disclosure, for an application program with a query function, the determined attack vector may be, for example, SQL with the injected features admin ' and pass ' 1234, and the SQL injected features admin ' and the application program IP address are transmitted into an attack script template as an examplehttp://XXXXXX/login.aspname=XX&In pass XXXX, the attack script http is available: //172.18.2.11/http://XXXXXX/login.aspname=admin’&pass-1234. It is to be understood that the above-described attack vector, attack script template, and generated attack script are only examples to facilitate understanding of the present disclosure, and the present disclosure is not limited thereto.
Fig. 6 schematically shows a flowchart for determining whether a vulnerability exists in an application according to an embodiment of the present disclosure.
As shown in fig. 6, operation S220 of determining whether the application has a bug may include, for example, operations S621 to S622.
In operation S621, an attack request is issued to the application program according to the attack script to run the application program according to the source file, so as to obtain second running information. According to an embodiment of the present disclosure, the second operation information is similar to the first operation information, and is not described herein again.
In operation S622, in the case that the second operation information has an exception, it is determined that the application program has a bug.
According to an embodiment of the present disclosure, the operation S622 may include, for example: and comparing the second operation information with the standard operation information of the application program to be detected to determine whether the second operation information is abnormal. The standard operation information may be, for example, preset operation information of an application program without a vulnerability. For example, if the method class that needs to be called when the application completes the query function includes A, B, C that are called sequentially, the standard running information includes information of A, B, C that are called sequentially. At this time, if the method class called when the search function is implemented in the second operation information obtained in operation S621 is B, A, C called in sequence, it may be determined that the second operation information is abnormal and the application has a bug. Or, if a certain class called in the second operation information is an illegal class constructed in a request sent by the application program to the server, it may be determined that the second operation information is abnormal and the application program has a bug. Or if the second operation information includes operation information for popping up a redundant dialog box, it may be determined that the second operation information is abnormal, and the application program has a bug.
According to an embodiment of the present disclosure, in order to insert a detection function in a source file, Instrumentation may be introduced, for example, which is an agent independent of the application program for detecting and assisting the application program running on the JVM. There may be multiple method classes defined in the Instrumentation, which can dynamically change the definition of a method class. According to an embodiment of the present disclosure, an Instrumentation agent may be started, for example, by specifying a specific jar file via a-javaagent parameter.
FIG. 7 schematically shows a flow diagram for inserting a detection function in a source file according to an embodiment of the disclosure.
As shown in fig. 7, operation S230 of inserting a detection function in a source file of the embodiment of the present disclosure may include, for example, operations S731 to S733.
In operation S731, a method class in a source file called when an application is run is loaded. According to an embodiment of the present disclosure, the operation S731 may include, for example: and determining all method classes which need to be called by the application program in the running process according to the source file.
In operation S732, a defined method class belonging to a predetermined class among method classes in the called source file is determined. The operation S732 may include: it is determined whether all the method classes obtained in operation S731 include the method class defined in the Instrumentation. If included, all method classes that have a definition in Instrumentation are defined as defined method classes.
After determining the defined method class, operation S733 may be performed to insert a detection function into the source file at the position of the defined method class.
According to an embodiment of the present disclosure, the flow of the entire insertion detection function may include, for example: when a common Java program runs, an Instrumentation agent is started. The agent program can enable operation and maintenance personnel to obtain and access the byte codes when the JVM runs and provide the operation of editing the byte codes, so that the operation and maintenance personnel can inject own codes into the operation and maintenance personnel. And starting the JVM virtual machine, and during the running of an application program, if the method class loaded in the starting process is defined in the agent program, performing instrumentation by going through a hook flow, and inserting a code of a detection function into a specific position of the class.
Fig. 8 schematically shows a flowchart of determining vulnerability information of a vulnerability according to an embodiment of the present disclosure.
As shown in fig. 8, operation S250 of determining vulnerability information of a vulnerability according to the embodiment of the present disclosure may include, for example, operations S851 to S852.
In operation S851, it is determined whether there is an abnormal call to the source file inserted into the detection function according to the first execution information.
According to an embodiment of the present disclosure, a method of determining whether an exception call exists in the source file inserted into the detection function is similar to the aforementioned method of determining whether an exception exists in the second execution information in operation S622. For example, if a specific behavior such as query of a file read-write database is generated in the running process of the application program, a method class which is modified by the ASM and then inserted into the detection function is called in the normal calling flow, so that whether code analysis is legal or not is detected. If the call flow obtained from the first run information is not consistent with the aforementioned normal call flow, it may be determined that there is an abnormal call to the source file into which the detection function is inserted.
In operation S852, in the case that there is an abnormal call, it is determined that the attribute information of the code according to which the abnormal call is initiated in the source file is vulnerability information.
According to the embodiment of the disclosure, in the case that there is an abnormal call, it may be stated that there is a bug in the application program, where the bug is caused by the code that initiates the abnormal call in the source code. Therefore, the code in the source file, from which the exception call determined in operation S851 is initiated, is determined to be the code causing the bug. And acquiring the attribute information of the code causing the vulnerability to obtain vulnerability information. The vulnerability information includes function information of code call causing the vulnerability, called method class information, URL of code causing the vulnerability, line number in source file, etc.
According to the embodiment of the disclosure, for example, for an deserialization bug, no matter what way the patch is bypassed, the deserialization method is finally required to be called, and the execution command code of java is called. Thus, if there is a call to the deserialization method for the source file, it can be determined that there is an exception call. And taking the attribute information of the code calling the deserialization method in the source file as vulnerability information.
According to the embodiment of the disclosure, after it is determined that a bug exists and bug information is obtained, in order to facilitate operation and maintenance personnel to repair the bug, for example, a danger level of the bug may be classified, or a risk level of an application program may be classified, so that when a plurality of bugs exist or a plurality of application programs are detected, developers may determine how urgent the bug is to be repaired.
Fig. 9 schematically shows a flowchart of a vulnerability detection method according to a third exemplary embodiment of the present disclosure.
As shown in fig. 9, the vulnerability detection method according to the embodiment of the present disclosure may further include, for example, operations S970 to S980 in addition to operations S210 to S230. The operations S970 to S980 may be performed after the operation S250.
In operation S970, a risk level of the vulnerability and/or a risk level of the application program is determined according to the vulnerability information. In operation S980, vulnerability information, a risk level of the vulnerability, and/or a risk level of the application is exposed.
According to an embodiment of the present disclosure, the operation S970 may include, for example: the method comprises the steps of firstly determining the type of the vulnerability according to vulnerability information, and then determining the danger level of the vulnerability according to the vulnerability type. According to the embodiment of the disclosure, when determining the type of the vulnerability, the vulnerability information may be determined by comparing the vulnerability information with a vulnerability comparison table, for example. The vulnerability comparison table comprises a vulnerability information column and a vulnerability type column.
According to an embodiment of the present disclosure, the risk level of a vulnerability may include, for example, high risk, medium risk, low risk. The high-risk vulnerability may include, for example, a vulnerability which can be remotely utilized and can directly acquire a system permission (e.g., a server side permission, a client side permission) or can cause serious information leakage, such as command injection, remote command execution, uploading acquisition of WebShell, SQL injection, buffer overflow, bypassing authentication direct access management background, core service unauthorized access, core service background weak password, and the like. The medium-risk vulnerabilities may include, for example, direct theft of user identity information or vulnerabilities that can lead to a common level of information leakage, including but not limited to storage-type XSS vulnerabilities, client-side plaintext password storage, and the like. Low risk vulnerabilities may include, for example, security vulnerabilities that can result in minor information leaks, including but not limited to reflective XSS (including reflective DOM-XSS), jsonhijaking, CSRF (cross-site request forgery), path information leaks, SVN information leaks, phpinfo, and the like.
According to an embodiment of the disclosure, the risk level of the application program may be determined according to the number of vulnerabilities included in a source file of the application program and the category of the vulnerabilities, for example. For example, if the source file of the application includes a high-risk vulnerability or the number of vulnerabilities is large, it may be determined that the risk level of the application is high. Or if the source file of the application program only has high-risk bugs, setting the risk level of the application program to be the highest. And if the application program only comprises one bug and the bug is a low-risk bug, determining that the risk level of the application program is the lowest, and the like.
After determining the risk level of the bug and/or the risk level of the application program, the risk level may be displayed through a display screen of the terminal device 101, for example, so that the operation and maintenance personnel may determine the urgency of bug fix. According to the embodiment of the disclosure, while the risk level and/or the risk level are displayed, for example, the vulnerability information can be displayed, so that operation and maintenance personnel can conveniently locate the position of the vulnerability to be repaired, and the like.
According to the embodiment of the disclosure, after determining that the application program has a bug, in order to avoid malicious attack, alarm information should be fed back to the server 103 in time, so as to prevent the server 103 or the terminal device 101 from being maliciously attacked in the process of repairing the bug. In addition, in order to ensure normal acquisition of the vulnerability information, the alarm information may be fed back after the vulnerability information is obtained through operation S250, for example.
Fig. 10 schematically shows a flowchart of a vulnerability detection method according to a fourth exemplary embodiment of the present disclosure.
As shown in fig. 10, the vulnerability detection method according to the embodiment of the present disclosure may further include an operation S1090 in addition to the operations S210 to S250, where the operation S1090 may be executed after the operation S250, so as to avoid malicious attacks as far as possible while ensuring that the alarm information can be obtained.
In operation S1090, an alert message is transmitted to the server supporting the execution of the application to instruct the server to discard the request of the application when receiving the request of the application. By this operation S1090, even if a malicious attack is received, leakage of information and the like is not caused.
According to the embodiment of the present disclosure, the alarm information may also be sent to the operating system of the terminal device 101 at the same time, for example, so that the operating system discards the request when receiving the request of the application program, thereby avoiding leakage of local information of the terminal device 101.
According to the embodiment of the disclosure, after the vulnerability information is determined, the vulnerability detection method of the embodiment of the disclosure may further provide a patch policy, for example, to automatically patch the vulnerability.
Fig. 11 schematically shows a flowchart of a vulnerability detection method according to a fifth exemplary embodiment of the present disclosure.
As shown in fig. 11, the information processing method of the embodiment of the present disclosure may further include operations S1100 to S1110 in addition to operations S210 to S250. The operations S1100 to S1110 may be performed after the operation S250.
In operation S1100, patch information matched with the vulnerability information is acquired.
According to the embodiment of the present disclosure, the patch information may be, for example, patch information preset according to each attack feature in an attack feature library, or may be a patch script used when patching an application program that has been attacked. A patch comparison table may be constructed, for example, according to the historical vulnerability information and the patch information. Thus, operation S1100 may include, for example: according to the vulnerability information, patch information corresponding to the vulnerability information in the patch comparison table is determined, and then the corresponding patch information is obtained from the server 103.
In operation S1110, the matched vulnerability is solved according to the patch information. According to an embodiment of the present disclosure, the operation S1110 may include, for example: and patch information is operated to realize the patching of the loophole matched with the patch information.
According to the embodiment of the disclosure, after the server 103 and/or the terminal device 101 stops responding to the request of the application according to the alarm information and completes the bug fixing, the bug detection method according to the embodiment of the disclosure may further send a recovery request to the server 103 and/or the terminal device 101, for example, to recover the response of the server 103 and/or the terminal device 101 to the request of the application, so as to ensure the normal operation of the application after bug fixing.
In summary, according to the vulnerability detection method disclosed by the embodiment of the present disclosure, the code operation flow can be dynamically analyzed according to the operation information, so that vulnerabilities can be effectively discovered. Moreover, the vulnerability detection method of the embodiment of the disclosure can determine the risk level of the vulnerability and/or the risk level of the application program, and can display the vulnerability information, the risk level and the risk level, so that an all-dimensional and multi-angle visual analysis result can be provided for operation and maintenance, and the operation and maintenance personnel can conveniently and accurately master the safety condition of the application system.
In addition, by the vulnerability monitoring method, the vulnerability detection can be completed while the function test of the application program is completed, and the vulnerability detection can not be influenced by the complexity of software. Therefore, the vulnerability detection method disclosed by the embodiment of the disclosure can be suitable for software products with various complexities, not only can detect the security weakness of the application program, but also can detect the version information and the contained vulnerabilities of third-party software in the application program.
Fig. 12 schematically shows a block diagram of a vulnerability detection apparatus according to an embodiment of the present disclosure.
As shown in fig. 12, the vulnerability detection apparatus 1200 of the embodiment of the present disclosure may include, for example, an attack script generation module 1210, a vulnerability determination module 1220, a detection function insertion module 1230, a running information obtaining module 1240 and a vulnerability information determination module 1250.
The attack script generating module 1210 is configured to generate an attack script for an application according to a source file of the application (operation S210).
The vulnerability determining module 1220 is used for issuing an attack request to the application program according to the attack script to determine whether the application program has a vulnerability (operation S220).
The detection function inserting module 1230 is configured to insert a detection function into the source file according to the source file if it is determined that the application program has a bug (operation S230).
The running information obtaining module 1240 is configured to send a secondary attack request to the application program according to the attack script, so as to run the application program according to the source file inserted into the detection function, and obtain first running information (operation S240).
The vulnerability information determination module 1250 is configured to determine vulnerability information of a vulnerability according to the first operation information (operation S250).
According to an embodiment of the present disclosure, as shown in fig. 12, the attack script generating module 1210 may include, for example, an attack vector obtaining sub-module 1211 and an attack script generating sub-module 1212. The attack vector obtaining sub-module 1211 is configured to obtain an attack vector matching the source file from the feature library according to the source file (operation S511). The attack script generating sub-module 1212 is configured to generate an attack script according to the attack vector and the attack script template (operation S512).
According to an embodiment of the present disclosure, as shown in fig. 12, the vulnerability determining module 1220 may include, for example, a running information obtaining sub-module 1221 and a vulnerability determining sub-module 1222. The operation information obtaining sub-module 1221 is configured to send an attack request to the application program according to the attack script, so as to operate the application program according to the source file, and obtain second operation information (operation S621). The vulnerability determining submodule 1222 is configured to determine that the application program has a vulnerability if the second operation information has an exception (operation S622).
According to an embodiment of the present disclosure, the detection function insertion module 1230 may include, for example, a method class loading sub-module 1231, a method class determination sub-module 1232, and a detection function insertion sub-module 1233. The method class loading submodule 1231 is configured to load a method class in a source file called when the application is executed (operation S731). The method class determination sub-module 1232 is configured to determine a defined method class among the method classes in the called source file, which belongs to the predetermined method class (operation S732). The detection function inserting sub-module 1233 is configured to insert a detection function into the source file at a position where a method class has been defined (operation S733). Wherein the predetermined method classes comprise method classes defined in an application-independent agent.
According to an embodiment of the present disclosure, as shown in fig. 12, the operation information obtaining module 1240 may include, for example, an abnormal call determining sub-module 1241 and a bug information determining sub-module 1242. The abnormal call determination sub-module 1241 may be configured to determine whether an abnormal call exists in a source file inserted into the detection function during the application program running process according to the first running information (operation S851), for example. The vulnerability information determining submodule 1242 is configured to determine, when there is an abnormal call, that attribute information of a code according to which the abnormal call is initiated in the source file is vulnerability information (operation S852).
According to an embodiment of the present disclosure, as shown in fig. 12, the vulnerability detection apparatus 1200 further includes a feature library construction module 1260, which is used for constructing a feature library (operation S360). The feature library construction module 1260 may include, for example, a message acquisition sub-module 1261, a feature extraction sub-module 1262, a vector generation sub-module 1263, and a relationship establishment sub-module 1264. The message obtaining sub-module 1261 is configured to obtain attack feature messages for multiple vulnerability samples (operation S461). The feature extraction submodule 1262 is configured to extract an attack feature of the attack feature packet, and obtain a plurality of attack features (operation S462). The vector generation submodule 1263 is configured to generate a plurality of attack vectors for the plurality of attack features according to a predetermined rule (operation S463). The relationship establishing sub-module 1264 is configured to establish a mapping relationship between the plurality of attack vectors and the context information according to the context information of the plurality of vulnerability samples (operation S464).
According to an embodiment of the present disclosure, as shown in fig. 12, the vulnerability detection apparatus 1200 may further include a level determination module 1270 and a display module 1280, for example. The level determining module 1270 is configured to determine a risk level of the vulnerability and/or a risk level of the application according to the vulnerability information after the vulnerability information of the vulnerability is determined by the vulnerability information determining module 1250 (operation S970). The presentation module 1280 is configured to present the vulnerability information, the risk level of the vulnerability, and/or the risk level of the application (operation S980).
According to the embodiment of the present disclosure, as shown in fig. 12, for example, the vulnerability detection apparatus 1200 may further include an alarm information sending module 1290, which is configured to send alarm information to a server providing support for the running of the application after the vulnerability information determination module 1250 determines the vulnerability information of the vulnerability, so as to instruct the server to discard the request of the application when receiving the request of the application (operation S1090).
According to an embodiment of the present disclosure, as shown in fig. 12, the vulnerability detection apparatus 1200 may further include a patch information acquisition module 12100 and a vulnerability resolution module 12110, for example. The patch information obtaining module 12100 is configured to obtain patch information that matches the vulnerability information (operation S1100). The vulnerability resolution module 12110 is configured to resolve the matched vulnerability according to the patch information (operation S1110).
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
Fig. 13 schematically shows a block diagram of an electronic device adapted to perform a vulnerability detection method according to an embodiment of the present disclosure. The electronic device shown in fig. 13 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 13, an electronic device 1300 according to an embodiment of the present disclosure includes a processor 1301 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)1302 or a program loaded from a storage section 1308 into a Random Access Memory (RAM) 1303. The processor 1301 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 1301 may also include onboard memory for caching purposes. Processor 1301 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 1303, various programs and data necessary for the operation of the electronic apparatus 1300 are stored. The processor 1301, the ROM 1302, and the RAM 1303 are connected to each other via a bus 1304. The processor 1301 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 1302 and/or the RAM 1303. Note that the programs may also be stored in one or more memories other than the ROM 1302 and RAM 1303. The processor 1301 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Electronic device 1300 may also include input/output (I/O) interface 1305, which is also connected to bus 1304, according to an embodiment of the present disclosure. The electronic device 1000 may also include one or more of the following components connected to the I/O interface 1305: an input portion 1306 including a keyboard, a mouse, and the like; an output section 1307 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 1308 including a hard disk and the like; and a communication section 1309 including a network interface card such as a LAN card, a modem, or the like. The communication section 1309 performs communication processing via a network such as the internet. A drive 1310 is also connected to the I/O interface 1305 as needed. A removable medium 1311 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1310 as necessary, so that a computer program read out therefrom is mounted into the storage portion 1308 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such embodiments, the computer program may be downloaded and installed from a network via communications component 1309 and/or installed from removable media 1311. The computer program, when executed by the processor 1301, performs the functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to an embodiment of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, a computer-readable storage medium may include one or more memories other than the ROM 1302 and/or the RAM 1303 and/or the ROM 1302 and the RAM 1303 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It will be appreciated by those skilled in the art that the foregoing describes embodiments of the disclosure. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (10)

1. A vulnerability detection method, comprising:
generating an attack script aiming at an application program according to a source file of the application program;
wherein the generating an attack script for the application comprises:
constructing a feature library, wherein the constructing the feature library comprises:
acquiring attack characteristic messages aiming at a plurality of vulnerability samples;
extracting attack characteristics of the attack characteristic message to obtain a plurality of attack characteristics;
generating a plurality of attack vectors aiming at the plurality of attack characteristics according to a preset rule; and
according to the context information of the vulnerability samples, establishing a mapping relation between the plurality of attack vectors and the context information;
according to the source file, obtaining an attack vector matched with the source file from a feature library; and
generating the attack script according to the attack vector and the attack script template;
sending an attack request to the application program according to the attack script to determine whether the application program has a bug or not; and
in the event that it is determined that the application has a vulnerability:
inserting a detection function into the source file according to the source file;
wherein inserting a detection function in the source file comprises:
setting an insertion point according to the context information of the code in the source file;
inserting a detection function at the position of the insertion point;
sending a secondary attack request to the application program according to the attack script so as to operate the application program according to the source file inserted into the detection function to obtain first operation information; and
and determining the vulnerability information of the vulnerability according to the first operation information.
2. The method of claim 1, wherein the initiating an attack request to the application program according to the attack script to determine whether the application program has a vulnerability comprises:
an attack request is sent to the application program according to the attack script, so that the application program is operated according to the source file, and second operation information is obtained; and
and determining that the application program has a bug under the condition that the second operation information is abnormal.
3. The method of claim 1, wherein the inserting a detection function in the source file comprises:
loading a method class called when the application program is operated in the source file;
determining a defined method class which belongs to a predetermined method class in a method class in the called source file; and
inserting the detection function into the source file at the location of the defined method class,
wherein the predetermined method class comprises a method class defined in an agent independent of the application.
4. The method of claim 1, wherein the determining vulnerability information for the vulnerability comprises:
determining whether a source file inserted into the detection function in the running process of the application program has abnormal call or not according to the first running information; and
and under the condition that the abnormal call exists, determining the attribute information of the code according to which the abnormal call is initiated in the source file as the vulnerability information.
5. The method of claim 1, further comprising, after determining vulnerability information for the vulnerability:
determining the danger level of the vulnerability and/or the risk level of the application program according to the vulnerability information; and
and displaying the vulnerability information, the risk level of the vulnerability and/or the risk level of the application program.
6. The method of claim 1, further comprising, after determining vulnerability information for the vulnerability:
and sending alarm information to a server for providing support for the running of the application program to indicate that the server discards the request of the application program when receiving the request of the application program.
7. The method of claim 1, further comprising, after determining vulnerability information for the vulnerability:
acquiring patch information matched with the vulnerability information; and
and solving the matched vulnerability according to the patch information.
8. A vulnerability detection apparatus, comprising:
the attack script generation module is used for generating an attack script aiming at the application program according to a source file of the application program;
the vulnerability determining module is used for sending an attack request to the application program according to the attack script so as to determine whether the application program has a vulnerability or not;
a detection function insertion module, configured to insert, according to the source file, a detection function into the source file when it is determined that the application program has a bug, including: setting an insertion point according to the context information of the code in the source file; inserting a detection function at the position of the insertion point;
the running information obtaining module is used for sending a secondary attack request to the application program according to the attack script so as to run the application program according to the source file inserted into the detection function to obtain first running information; and
the vulnerability information determining module is used for determining vulnerability information of the vulnerability according to the first operation information;
wherein the generating an attack script for the application comprises:
constructing a feature library, wherein the constructing of the feature library comprises:
acquiring attack characteristic messages aiming at a plurality of vulnerability samples;
extracting attack characteristics of the attack characteristic message to obtain a plurality of attack characteristics;
generating a plurality of attack vectors aiming at the plurality of attack characteristics according to a preset rule; and
according to the context information of the vulnerability samples, establishing a mapping relation between the attack vectors and the context information;
according to the source file, obtaining an attack vector matched with the source file from a feature library; and
and generating the attack script according to the attack vector and the attack script template.
9. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the vulnerability detection method of any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the vulnerability detection method of any of claims 1-7.
CN201911154446.9A 2019-11-21 2019-11-21 Vulnerability detection method and device, electronic equipment and readable storage medium Active CN110929264B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911154446.9A CN110929264B (en) 2019-11-21 2019-11-21 Vulnerability detection method and device, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911154446.9A CN110929264B (en) 2019-11-21 2019-11-21 Vulnerability detection method and device, electronic equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN110929264A CN110929264A (en) 2020-03-27
CN110929264B true CN110929264B (en) 2022-08-30

Family

ID=69851598

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911154446.9A Active CN110929264B (en) 2019-11-21 2019-11-21 Vulnerability detection method and device, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN110929264B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111865979A (en) * 2020-07-20 2020-10-30 北京丁牛科技有限公司 Vulnerability information processing method and network attack and defense platform
CN112329021B (en) * 2020-11-09 2024-03-26 杭州安恒信息技术股份有限公司 Method and device for checking application loopholes, electronic device and storage medium
CN114564945B (en) * 2020-11-27 2024-08-13 北京字跳网络技术有限公司 Method, device, equipment and storage medium for processing fields
CN113114680B (en) * 2021-04-13 2023-04-07 中国工商银行股份有限公司 Detection method and detection device for file uploading vulnerability
CN113162945B (en) * 2021-05-07 2021-12-14 北京安普诺信息技术有限公司 Vulnerability detection analysis method and device and vulnerability verification method and system based on vulnerability detection analysis method and device
CN113158191B (en) * 2021-05-26 2022-01-07 北京安普诺信息技术有限公司 Vulnerability verification method based on intelligent probe and related IAST method and system
CN113254944B (en) * 2021-06-08 2022-08-09 工银科技有限公司 Vulnerability processing method, system, electronic device, storage medium and program product
CN114629686A (en) * 2022-02-21 2022-06-14 奇安信科技集团股份有限公司 Vulnerability attack detection method and device
CN117879976B (en) * 2024-03-11 2024-05-28 全通金信控股(广东)有限公司 Request data processing method based on cross-site scripting attack and computer equipment

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104683328A (en) * 2015-01-29 2015-06-03 兴华永恒(北京)科技有限责任公司 Method and system for scanning cross-site vulnerability
CN105138903A (en) * 2015-08-14 2015-12-09 电子科技大学 ROP attack detection method based on RET instructions and JMP instructions
CN106716432A (en) * 2014-09-22 2017-05-24 迈克菲股份有限公司 Pre-launch process vulnerability assessment
CN108667816A (en) * 2018-04-19 2018-10-16 重庆邮电大学 A kind of the detection localization method and system of Network Abnormal
CN109165507A (en) * 2018-07-09 2019-01-08 深圳开源互联网安全技术有限公司 Cross-site scripting attack leak detection method, device and terminal device
CN109426722A (en) * 2017-09-01 2019-03-05 深圳市源伞新科技有限公司 SQL injection defect inspection method, system, equipment and storage medium
CN109558734A (en) * 2018-11-28 2019-04-02 北京梆梆安全科技有限公司 A kind of detection method and device, the mobile device of storehouse safety
CN110113311A (en) * 2019-03-05 2019-08-09 北京丁牛科技有限公司 Cross-site scripting attack XSS leak detection method and device
CN110266669A (en) * 2019-06-06 2019-09-20 武汉大学 A kind of Java Web frame loophole attacks the method and system of general detection and positioning
CN110390202A (en) * 2019-07-30 2019-10-29 中国工商银行股份有限公司 For detecting method, apparatus, system, equipment and the medium of service logic loophole
CN110414242A (en) * 2019-08-02 2019-11-05 中国工商银行股份有限公司 For detecting the method, apparatus, equipment and medium of service logic loophole

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7945958B2 (en) * 2005-06-07 2011-05-17 Vmware, Inc. Constraint injection system for immunizing software programs against vulnerabilities and attacks
CN103366120A (en) * 2012-04-10 2013-10-23 中国信息安全测评中心 Bug attack graph generation method based on script
CN106411906A (en) * 2016-10-10 2017-02-15 合肥红珊瑚软件服务有限公司 SQL (Structured Query Language) injection flaw positioning and detecting method
CN106357696B (en) * 2016-11-14 2020-02-07 北京神州绿盟信息安全科技股份有限公司 SQL injection attack detection method and system
CN108459954B (en) * 2017-02-22 2022-08-26 腾讯科技(深圳)有限公司 Application program vulnerability detection method and device

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106716432A (en) * 2014-09-22 2017-05-24 迈克菲股份有限公司 Pre-launch process vulnerability assessment
CN104683328A (en) * 2015-01-29 2015-06-03 兴华永恒(北京)科技有限责任公司 Method and system for scanning cross-site vulnerability
CN105138903A (en) * 2015-08-14 2015-12-09 电子科技大学 ROP attack detection method based on RET instructions and JMP instructions
CN109426722A (en) * 2017-09-01 2019-03-05 深圳市源伞新科技有限公司 SQL injection defect inspection method, system, equipment and storage medium
CN108667816A (en) * 2018-04-19 2018-10-16 重庆邮电大学 A kind of the detection localization method and system of Network Abnormal
CN109165507A (en) * 2018-07-09 2019-01-08 深圳开源互联网安全技术有限公司 Cross-site scripting attack leak detection method, device and terminal device
CN109558734A (en) * 2018-11-28 2019-04-02 北京梆梆安全科技有限公司 A kind of detection method and device, the mobile device of storehouse safety
CN110113311A (en) * 2019-03-05 2019-08-09 北京丁牛科技有限公司 Cross-site scripting attack XSS leak detection method and device
CN110266669A (en) * 2019-06-06 2019-09-20 武汉大学 A kind of Java Web frame loophole attacks the method and system of general detection and positioning
CN110390202A (en) * 2019-07-30 2019-10-29 中国工商银行股份有限公司 For detecting method, apparatus, system, equipment and the medium of service logic loophole
CN110414242A (en) * 2019-08-02 2019-11-05 中国工商银行股份有限公司 For detecting the method, apparatus, equipment and medium of service logic loophole

Also Published As

Publication number Publication date
CN110929264A (en) 2020-03-27

Similar Documents

Publication Publication Date Title
CN110929264B (en) Vulnerability detection method and device, electronic equipment and readable storage medium
US10878106B2 (en) Firmware verification
US8613080B2 (en) Assessment and analysis of software security flaws in virtual machines
US9460291B2 (en) Detecting stored cross-site scripting vulnerabilities in web applications
US9336389B1 (en) Rapid malware inspection of mobile applications
US11748487B2 (en) Detecting a potential security leak by a microservice
CN112906010B (en) Automatic attack testing method and automatic safety testing method based on same
CN111783096B (en) Method and device for detecting security hole
US9507933B2 (en) Program execution apparatus and program analysis apparatus
CN108763951B (en) Data protection method and device
CN113162945A (en) Vulnerability detection analysis method and device and vulnerability verification method and system based on vulnerability detection analysis method and device
CN111813696A (en) Application testing method, device and system and electronic equipment
CN110855642B (en) Application vulnerability detection method and device, electronic equipment and storage medium
CN113114680B (en) Detection method and detection device for file uploading vulnerability
US11005877B2 (en) Persistent cross-site scripting vulnerability detection
CN114386032A (en) Firmware detection system and method for power Internet of things equipment
US20180341770A1 (en) Anomaly detection method and anomaly detection apparatus
KR20160090566A (en) Apparatus and method for detecting APK malware filter using valid market data
CN113535577A (en) Application testing method and device based on knowledge graph, electronic equipment and medium
JP6258189B2 (en) Specific apparatus, specific method, and specific program
CN117056918A (en) Code analysis method and related equipment
CN114301713A (en) Risk access detection model training method, risk access detection method and risk access detection device
WO2024154288A1 (en) Program analysis device, program analysis method, and non-transitory computer-readable medium
KR102587114B1 (en) Apparatus and method for detecting remote control software based on whitelist
Ramadhan et al. Building an APK Malware Detection System Using Static Analysis Method with MobSF Framework

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant